From: | Chapman Flack <chap(at)anastigmatix(dot)net> |
---|---|
To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
Subject: | Re: pie-in-sky idea: 'sensitive' function parameters |
Date: | 2018-02-03 15:14:32 |
Message-ID: | 5A75D1D8.3070808@anastigmatix.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 02/02/18 22:46, Tom Lane wrote:
> ... the problem with this idea is that knowledge that the item ought to be
> hidden would be obtained only very late in the parsing process. So for
> example if you fat-fingered something just to the left of the function
> call in the query text, or the name of the function itself, your password
> would still get exposed in the log.
That didn't seem like a deal-breaker to me, as the common case I had
imagined for it would be where the query is coded into something (a webapp,
say) that just has some bits of sensitive data to pass in, and would surely
just be tested on dummy data until it was clear the canned query was at
least free of fat-finger issues.
Indeed, should the feature have to be restricted for practicality's sake
to only working with bound parameters and certain protocol variants, it
might not be easy or even possible to use it improvisationally from psql,
but that might be an acceptable limitation.
On 02/03/18 02:14, Craig Ringer wrote:
> About the only time I think it's really viable to pursue is if it's
> restricted to bind parameters. We only log those later and more
> selectively as it is, so it seems much more reasonable to say "I never
> want <parameter X> to appear in the logs".
And I think that could be an acceptable restriction. One way could use
a simple flag to accompany the parameter binding from the client, which
would be recognized early enough to keep the parameter out of the logs,
but also checked later when the function info is available, throwing an
error if it was used for a parameter not declared sensitive, or not used
for a parameter that is.
Or it could even have to be used in a prepared statement. A little
clunkier and one more round trip to the server, but probably not onerous,
and by the time PREPARE completes, surely it can be known which parameter
slots are declared that way.
Still wouldn't account for internal statements logged or errors thrown
by whatever the function does, but maybe the existing machinery for
declaring functions leakproof is at least a start on that?
-Chap
From | Date | Subject | |
---|---|---|---|
Next Message | Mark Rofail | 2018-02-03 15:19:06 | Re: [HACKERS] GSoC 2017: Foreign Key Arrays |
Previous Message | Michael Paquier | 2018-02-03 13:49:35 | Re: Regexp named capture groups |